Mapning mellem NIS2 og Magentas ISO-certificeringer
Magenta er ISO-certificeret i it-sikkerhed (ISO 27001) og GDPR (ISO 27701). De to certificeringer betyder, at vi også er NIS2-compliant. Mapningen mellem ISO-standarderne og NIS2 kan du læse om længere nede på siden.
Inden du begraver dig i den, kan du læse lidt om, hvad vi mener er særlig vigtigt i denne sammenhæng:
Styrkelse af forsyningskæden og leverandørstyring: Både ISO 27001 og NIS2 understreger vigtigheden af at stille krav til leverandørerne om, at hele forsyningskæden er sikker.
Risikobasereret og struktureret tilgang til sikkerhed: Både ISO 27001 og ISO 27701 er ledelsessystemer, der, som NIS2, benytter en systematisk og risikobaseret tilgang til at styre informationssikkerhed og persondata. I stedet for at handle reaktivt på hændelser, arbejdes der proaktivt med at identificere, vurdere og mindske risici.
Reduceret risiko for sikkerhedsbrud og datalæk: Compliance inden for alle tre standarder mindsker sandsynligheden for cyberangreb og datalækager. Dette beskytter ikke kun Magentas egne aktiver, men også kundernes data. Det reducerer risikoen for dyre driftsforstyrrelser, tab af data og tab af omdømme.
Beskyttelse af persondata og fokus på GDPR-compliance: ISO 27701 er en udvidelse af ISO 27001, og fokuserer specifikt på beskyttelse af personoplysninger. Kombinationen mellem ISO 27701, der har fokus på beskyttelse af personoplysninger og individets rettigheder, og NIS2, der primært fokuserer på at øge cybersikkerheden og modstandsdygtigheden, er meget stærk.
Dokumentation og governance: De tre regelsæt kræver omfattende dokumentation af de implementerede sikkerhedsforanstaltninger, politikker og procedurer og understreger ledelsens fokus på og ansvar for at sikre en kontinuerlig overholdelse af kravene.
Bemærk, at mapningen er lavet ift. NIS2’s Artikel 21: Cybersecurity Risk-Management Measures, som udgør kernen i NIS2-direktivets sikkerhedskrav. Den beskriver de specifikke foranstaltninger, som virksomheder skal gennemføre. Disse foranstaltninger skal være passende og stå i rimeligt forhold til de risici, de står over for. Foranstaltningerne omfatter:
- Risikoanalyse og sikkerhedspolitikker for informationssystemer.
- Håndtering af hændelser, herunder detektion, analyse og respons.
- Forretningskontinuitet som fx genoprettelse efter katastrofer og krisehåndtering.
- Sikkerhed i forsyningskæden, der dækker forholdet til direkte leverandører og tjenesteudbydere.
- Sikkerhed ved anskaffelse, udvikling og vedligeholdelse af net- og informationssystemer.
- Politikker og procedurer til at vurdere effektiviteten af cybersikkerhedsforanstaltninger.
- Grundlæggende cyberhygiejne og cybersikkerhedsuddannelse.
- Brug af kryptografi og, hvor det er relevant, kryptering.
- Sikkerhed for menneskelige ressourcer, adgangskontrolpolitikker og aktivforvaltning.
- Brug af multifaktor-autentificering eller kontinuerlige autentificeringsløsninger.
| NIS2 requirement | NIS2 article | ISO clause or control |
|---|---|---|
| Management bodies must approve the cybersecurity risk-management measures | Article 20, paragraph 1 | 6.1.3 Information security risk treatment |
| Management bodies must oversee the implementation of cybersecurity risk-management measures | Article 20, paragraph 1 | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review |
| Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis | Article 20, paragraph 2 | 7.2 Competence A.6.3 Information security awareness, education and training |
| Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks | Article 21, paragraph 1 | 6.1.3 Information security risk treatment 6.2 Information security objectives and planning to achieve them 8.1 Operational planning and control |
| When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact | Article 21, paragraph 1 | 6.1.2 Information security risk assessment |
| Policy on risk analysis | Article 21, paragraph 2, point (a) | 6.1.2 Information security risk assessment |
| Policy on information system security | Article 21, paragraph 2, point (a) | 5.2 Policy |
| Incident handling | Article 21, paragraph 2, point (b) | A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents |
| Business continuity | Article 21, paragraph 2, point (c) | A.5.29 Information security during disruption |
| Backup management | Article 21, paragraph 2, point (c) | A.8.13 Information backup |
| Disaster recovery | Article 21, paragraph 2, point (c) | A.5.30 ICT readiness for business continuity A.8.14 Redundancy of information processing facilities |
| Crisis management | Article 21, paragraph 2, point (c) | (does not have a directly relevant clause nor control in ISO 27001) |
| Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Article 21, paragraph 2, point (d) | A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services |
| Security in network and information systems acquisition, development and maintenance | Article 21, paragraph 2, point (e) | A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.9 Configuration management A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.33 Test information |
| Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Article 21, paragraph 2, point (f) | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review |
| Basic cyber hygiene practices | Article 21, paragraph 2, point (g) | A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.8.1 User endpoint devices A.8.5 Secure authentication A.8.7 Protection against malware A.8.13 Information backup A.8.19 Installation of software on operational systems A.8.24 Use of cryptography |
| Cybersecurity training | Article 21, paragraph 2, point (g) | 7.2 Competence A.6.3 Information security awareness, education and training |
| Policies and procedures regarding the use of cryptography and encryption | Article 21, paragraph 2, point (h) | A.8.24 Use of cryptography |
| Human resources security | Article 21, paragraph 2, point (i) | A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment |
| Access control policies | Article 21, paragraph 2, point (i) | A.5.15 Access control |
| Asset management | Article 21, paragraph 2, point (i) | A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.7.9 Security of assets off-premises |
| The use of multi-factor authentication or continuous authentication solutions | Article 21, paragraph 2, point (j) | A.5.16 Identity management A.5.17 Authentication information A.8.5 Secure authentication |
| Secured voice, video and text communications | Article 21, paragraph 2, point (j) | A.5.14 Information transfer A.8.21 Security of network services |
| Secured emergency communication systems within the entity | Article 21, paragraph 2, point (j) | A.8.20 Networks security |
| Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures | Article 21, paragraph 3 | A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services |
| Take appropriate and proportionate corrective measures | Article 21, paragraph 4 | 10.2 Nonconformity and corrective action |
| NIS2 requirement | NIS2 article | ISO clause or control |
|---|---|---|
| Management bodies must approve the cybersecurity risk-management measures | Article 20, paragraph 1 | 6.1.3 Information security risk treatment |
| Management bodies must oversee the implementation of cybersecurity risk-management measures | Article 20, paragraph 1 | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review |
| Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis | Article 20, paragraph 2 | 7.2 Competence A.6.3 Information security awareness, education and training |
| Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks | Article 21, paragraph 1 | 6.1.3 Information security risk treatment 6.2 Information security objectives and planning to achieve them 8.1 Operational planning and control |
| When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact | Article 21, paragraph 1 | 6.1.2 Information security risk assessment |
| Policy on risk analysis | Article 21, paragraph 2, point (a) | 6.1.2 Information security risk assessment |
| Policy on information system security | Article 21, paragraph 2, point (a) | 5.2 Policy |
| Incident handling | Article 21, paragraph 2, point (b) | A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents |
| Business continuity | Article 21, paragraph 2, point (c) | A.5.29 Information security during disruption |
| Backup management | Article 21, paragraph 2, point (c) | A.8.13 Information backup |
| Disaster recovery | Article 21, paragraph 2, point (c) | A.5.30 ICT readiness for business continuity A.8.14 Redundancy of information processing facilities |
| Crisis management | Article 21, paragraph 2, point (c) | (does not have a directly relevant clause nor control in ISO 27001) |
| Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Article 21, paragraph 2, point (d) | A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services |
| Security in network and information systems acquisition, development and maintenance | Article 21, paragraph 2, point (e) | A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.9 Configuration management A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.33 Test information |
| Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Article 21, paragraph 2, point (f) | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review |
| Basic cyber hygiene practices | Article 21, paragraph 2, point (g) | A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.8.1 User endpoint devices A.8.5 Secure authentication A.8.7 Protection against malware A.8.13 Information backup A.8.19 Installation of software on operational systems A.8.24 Use of cryptography |
| Cybersecurity training | Article 21, paragraph 2, point (g) | 7.2 Competence A.6.3 Information security awareness, education and training |
| Policies and procedures regarding the use of cryptography and encryption | Article 21, paragraph 2, point (h) | A.8.24 Use of cryptography |
| Human resources security | Article 21, paragraph 2, point (i) | A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment |
| Access control policies | Article 21, paragraph 2, point (i) | A.5.15 Access control |
| Asset management | Article 21, paragraph 2, point (i) | A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.7.9 Security of assets off-premises |
| The use of multi-factor authentication or continuous authentication solutions | Article 21, paragraph 2, point (j) | A.5.16 Identity management A.5.17 Authentication information A.8.5 Secure authentication |
| Secured voice, video and text communications | Article 21, paragraph 2, point (j) | A.5.14 Information transfer A.8.21 Security of network services |
| Secured emergency communication systems within the entity | Article 21, paragraph 2, point (j) | A.8.20 Networks security |
| Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures | Article 21, paragraph 3 | A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services |
| Take appropriate and proportionate corrective measures | Article 21, paragraph 4 | 10.2 Nonconformity and corrective action |
Som det fremgår af tabellen, kan Magentas ISO-certificeringer imødekomme 25 af de 26 cybersikkerhedskrav, der er angivet i NIS2. Kun krisestyring er reelt ikke dækket af ISO, men fordi NIS2 artikel 23 Rapporteringsforpligtelser fastsætter meget specifikke rapporteringskrav, som vi ikke hører under, er faktum, at disse ikke kan imødekommes ved brug af ISO.